Posts filed under ‘network’

On the Internet, Anonymous has become a badge, a group, an idea. It’s all a bit nebulous really. It could quickly just fizzle out. On the other hand, it might just be the start of something new, something big, an emergent phenomenon.

Let’s start with meme. According to Wikipedia, a meme is an “idea or behaviour that can pass from one person to another by learning or imitation.” Examples of memes include ideas, theories, practices, fashions, habits, etc. The word was coined by Richard Dawkins in 1976 that has caught on as “a convenient way of discussing a piece of thought copied from person to person.”

Most people are familiar with the use of anonymous as a default name for a person on the Internet whose identity is unknown. Post a comment without identifying yourself and it’s likely to be accredited to anonymous.

But then anonymous began emerging as Anonymous, a sort of an in-joke. Many people think it originated from the site 4chan, an image-based bulletin board where anyone can post comments and share images anonymously. Definitely not for the faint-hearted. Almost anything is acceptable. That’s led to a clique with their own language, norms, jokes, values… culture?

In turn, that’s led to a movement on the Internet, perhaps one that can be best described as an Internet meme.

In an often-quoted article in the Baltimore City Paper called Serious Business, “anons” are linked with repeated attacks on the Church of Scientology, called Project Chanology, “a battle that pits an anarchic, leaderless group of mostly young and tech-savvy activists organized through online forums and chat rooms against a religion formed in the 1950s whose adherents believe a science-fiction writer laid down the course to world salvation.”

Their words are ominous, “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”

Anonymous has been linked with more attacks. Such as a DDoS attack on the SSOH (Support Online Hip Hop) website; even the attack on Republican vice presidential candidate Sarah Palin’s personal Yahoo! Mail email account.

Anonymous has now become a movement, a moniker for a wide range of leader-less groups, from fringe elements on a path of reckless destruction to activists united in a sort of superconsciousness.

It could amount to nothing, a passing ripple in Internet history. Or, it could also become something far more potent, such as a rallying cry for the anti-establishment, a new breed of cyber-vigilantes.

In many ways, Anonymous is the child of the Internet. Do we get the children we deserve?

When a website has EV certs, the address bar in browsers (IE 7, Firefox 3) turns green. According to VeriSign, “There is a natural positive psychological impact when a person sees the green address bar.”

EV certs primarily depend upon two assumptions to be effective against phishing. Both of these seem to be flawed:

– First, that the bad guys can’t get EV certs. The problem is that the two pieces of information that the Guidelines for issuing certs require to prove that a “legal entity” exists is not really a problem for the bad guys. All they need is proof of incorporation and a physical business address. These hardly present an insurmountable hurdle.

– Second, that people will understand what the address bar in their browser turning green means. More importantly, if it does not turn green when it should, they would detect and understand what was happening and stop interacting with the site. As the research shows, at least currently, this is simply not happening. While PayPal and others believe that this is only a matter of time, in my view relying on people to implement your security feature is a big ask.

So, should a site get EV certs knowing that they probably won’t stop phishing and the main gainer is the CA who gets extra money over ordinary SSL certs? Unfortunately, the answer is yes. Not because they provide any real benefit but because they do no harm. And that’s hardly a strong endorsement of the great hopes that backers of EV certs held out a year back.

Extending this debate, should an OpenID identifier be treated as PII and protected similarly?

IP addresses are meant to be locators for devices on a network and often do not map to being a unique identifier (for example, where the IP address is dynamically assigned or NAT is being used for an external connection).

As a privacy counsel for Google told the EU meeting, “There is no black and white answer: sometimes an IP address can be considered as personal data and sometimes not, it depends on the context, and which personal information it reveals.”

On the other hand, Germany’s data protection commissioner believes that when someone is identified by an IP address “then it has to be regarded as personal data.”

This is going to be an interesting debate. To spice things up, lets thrown in things like persistent cookies and ISP/OP logs into the mix.

I don’t know too much about crypto stuff so when I came across Kerckhoffs’ principle, I was intrigued. This 19th century principle states that a (military crypto) system should be secure even if everything about the system, except the key, is public knowledge.

It was reformulated as “the enemy knows the system” by Claude Shannon and contrasts with the security by obscurity approach.

Got me thinking. I think the point is that the strength of a system is inversely proportional to the number of secrets it has to rely on, i.e. a system which relies on several secrets for its security is inherently less secure than one that relies on a small number of secrets (ideally, none except the “key”).

So, a strategy that relies on peoples’ ignorance is risky.

While this seems intuitive for crypto, I think it can be applied to all sorts of things with interesting results. Authentication systems for one. Proprietary vs. open standards for another. Applying this to government policies makes transparency a better choice.

Come to think of it, in many of my public presentations, I have described the way NZ authentication services are architected and work at a fairly detailed level. The underlying belief was in line with Kerckhoffs’ principle in that they do not rely on obscurity to be secure.

At the recent Digital Future Summit 2.0 in Auckland, Laurence Millar of the State Services Commission gave an excellent presentation (ASF/Windows media file; just over 26 minutes but skip the first 3 minutes) entitled “The Government’s supporting role”.

He gave the following examples where Web 2.0 technologies have been used very effectively by NZ government organisations:

– a wiki from the NZ Police for getting the views of the public in developing new legislation (the Police Act Review). A bonus nugget: “wiki” is an anagram for “kiwi”!

CAPTCHAs– those distorted letters and numbers that you need to figure out and type in to prove you are human- are everywhere on the Web nowadays. They span the entire spectrum from very bad to competent. The topic of CAPTCHAs also invariably brings forth all the frustrations people have in using them.

Using unsuspecting humans to get around CAPTCHAs is well known. For example, displaying the CAPTCHA from a genuine site to a person to solve in return for the person getting free access to porn.

A blog post on Coding Horror led me to the site of a Chinese hacker that sells software for breaking CAPTCHAs. The site has a very interesting page in which CAPTCHAs from well known sites are shown with how easy (or not) it is to break them. The software price is proportional to the ease of breaking.

For example, 9you (a Chinese online games site) is listed as easy with a 100% cracking rate. On the other hand, cracking eBay CAPTCHAs is listed as moderate with a 70% accuracy rate and is 8 times the price.

Perhaps not so surprising, the three that can’t be broken by the software are Google, Yahoo, and Hotmail. Comments on the Coding Horror page point to Google as having the best CAPTCHA- easy for people to figure out yet impossible to break programmatically.

New Zealand’s dubious claim to fame is being home to one of the world’s largest botmasters- Owen Walker, aka AKILL, aka Snow Whyte, aka leader of the A-Team.

The 18 year old stays in the Waikato town of Whitianga and police have described him as “very, very bright in terms of his ability to produce this sort of code.” He suffers from Asperger’s syndrome, a mild form of autism often characterised by social isolation but great intelligence and talent in a particular area. He was something of a loner at school, picked on by bullies, and completed his education using a correspondence course after leaving school early (when 14).

The police raids were a result of Project Bot Roast run by the FBI. The trigger seems to be a revenge 50,000-bot attack on IRC servers that inadvertently brought down U Penn’s network.

He is also being investigated by the Dutch for his role in an adware scheme thought to have infected 1.3 million computers.

Thanks to the mainstream media, middle-New Zealand is getting a whole new vocabulary that includes words like bots, zombies, botnets, botherders, malware, adware, distributed denial of service attacks, and Trojans.

“It’s a cultural change for us,” said Andrew McAlley, a spokesman with the New Zealand Police. “I think it’s going to take time for New Zealanders to come to grips with the ramifications of it.”